Static and Dynamic Filtering Order
Additionally, Static Content Filtering takes place before Dynamic Content Filtering (described
below), which allows the possibility of manually making exceptions from the automatic dynamic
classification process. In a scenario where goods have to be purchased from a particular online
store, dynamic content filtering might be set to prevent access to shopping sites by blocking the
"Shopping" category. By entering the online store's URL into the HTTP Application Layer
Gateway's whitelist, access to that URL is always allowed, taking precedence over Dynamic
Content Filtering.
Note: The hosts and networks blacklist is a separate feature
The URL filtering option described here is a separate concept from Section 6.8,
“Blacklisting Hosts and Networks”.
Using Wildcards
When blacklisting or whitelisting URLs, wildcards can be used. Wildcards can be used the path
following the URL hostname which means that filtering can be controlled to the file and
directory level.
Below are some good and bad blacklisted example URLs that include wildcards:
*.example.com/* Good. This will block all hosts in the example.com domain and all web
pages served by those hosts. This is the only correct form that can be
used with HTTPS.
www.example.com/* Good. This will block the www.example.com website and all web
pages served by that site.
*/*.gif Good. This will block all files with .gif as the filename extension.
www.example.com Not good. This will only block the first request to the web site. Surfing
to www.example.com/index.html, for example, will not be blocked.
*example.com/* Not good. This will also cause www.myexample.com to be blocked
since it blocks all sites ending with example.com.
URL Filtering with HTTPS Traffic
The encrypted nature of HTTPS traffic means that only URL filtering and dynamic web content
filtering can be performed. If URL filtering is to be performed on HTTPS traffic using an IP rule, the
following steps should be used:
• Create an HTTP ALG object and set the Allowed Protocol property to HTTPS.
• Add one or more HTTP ALG URL objects as children of the ALG to define URLs that are
whitelisted or blacklisted.
• Use this ALG in a Service object. The service object could be an existing or created object that
allows HTTPS traffic. The service must include the port number 443 for HTTPS.
• Use the service object with an IP rule.
Chapter 6: Security Mechanisms
505
To Next Page
Loading...
